Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation

Steven Bellovin <> Mon, 13 December 2010 18:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 14F4628C0DF; Mon, 13 Dec 2010 10:55:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PESEjYVnT6nU; Mon, 13 Dec 2010 10:55:32 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 4A39128C0F8; Mon, 13 Dec 2010 10:55:32 -0800 (PST)
Received: from ( []) (user=smb2132 mech=PLAIN bits=0) by (8.14.4/8.14.3) with ESMTP id oBDIv34P024750 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Mon, 13 Dec 2010 13:57:04 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Steven Bellovin <>
In-Reply-To: <>
Date: Mon, 13 Dec 2010 13:57:03 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <p06240809c928635499e8@[]> <> <> <> <> <> <> <> <> <2229.1292235952.971571@puncture> <> <2229.1292239384.281779@puncture> <> <> <>
To: Yaron Sheffer <>
X-Mailer: Apple Mail (2.1082)
X-No-Spam-Score: Local
X-Scanned-By: MIMEDefang 2.68 on
X-Mailman-Approved-At: Tue, 14 Dec 2010 08:59:10 -0800
Cc:, General discussion of application-layer protocols <>, Yoav Nir <>, websec <>, - Next Generation <>, "" <>, " Group" <>, "" <>
Subject: Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Dec 2010 18:55:34 -0000

On Dec 13, 2010, at 10:32 53AM, Yaron Sheffer wrote:

> Just like the phrase "I am not a lawyer" is always followed by amateur legal advice (I know that for sure, I've done it myself), the same goes for "I am not a UI expert".
> Two comments:
> - There are in fact a few security-usability experts. I don't know if any of them participate in the IETF. This is an emerging research field, see e.g.
> - (I am not a UI expert, but...) Devising UI cues is extremely difficult. People will gladly enter their password when the web site displays a JPEG-rendered padlock icon. In fact *legitimate* sites have been known to display such icons, strange as it may sound.

Security and usability *is* one of my research areas.  I agree with Yoav: there are many problems with use of client-side certificates.  In general, I like them -- the only way to log in to the computers I control is with public-key authenticated SSH -- but there are very good reasons why they are seldom used.  Private key storage and transport is the major one, but key issuance and recovery from lost or stolen keys are serious issues as well.  The security community has made that worse by layering heavyweight policies and procedures on top of the certificate issuance process, even when the value of the resource being protected isn't high enough to justify it.

(I've been worrying about usability issues for a long time.  There was one I-D that I dealt with as AD that I abstained on -- I wouldn't vote "no-ob" because I did object, but I had no better suggestion than "go back and start over".  While dealing with that document, I emailed one of the top usability people and asked

	Do you know of papers on the difficulty of administering complex 
	access control lists?  I'm trying to convince people that a 
	seriously-complex scheme will lead to massive security failures, 
	because no one will be able to get the ACLs right.

So yes, there are people in the IETF who worry about UI issues.)

		--Steve Bellovin,